Enterprise Risk Management - OBFS
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of Enterprise Risk Management - OBFS
Enterprise Risk Management July 2014
There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction. ~ John F. Kennedy
Risk: adversely affects an organization’s ability to achieve its goals and
objectives – What is our “tolerance” for risk?
Opportunity: assists an organization’s ability to achieve its goals and
objectives – What is our “appetite” for risk?
Vision: Create a risk-aware culture that educates its members on risk
management, allowing the University to identify risks and make plans to
avoid material impact on finances and operations while encouraging the
acceptance of manageable risks
2
Enterprise Risk Management is a structured process designed to:
Support the achievement of University goals
Identify potential threats and manage them within our tolerance for risk
Maintain a balanced view of risk and reward
Include people at every level of the organization
Provide reasonable assurance to management and the Board of Trustees
3
Provides strategic risk support & oversight through a systematic process
of understanding, evaluating and fostering action on significant risks
Establishes a portfolio approach to managing risk, considering internal,
external and cross-entity risks
Promotes alignment of strategy and risk appetite
Promotes an environment of ownership of and accountability for
significant risks and the response to those risks
Provides a foundation for superior planning and budgeting
4
Comparative Responsibilities Enterprise Risk Management
University Audits Univ. Office of Risk Management
Campus Administration
Shared Goal
Support ACHIEVEMENT OF UNIVERSITY OBJECTIVES by limiting material impacts, while
encouraging the acceptance of manageable risks
Focus STRATEGIC OVERSIGHT FINANCIAL OPERATIONAL
Purpose Promote a RISK-
INTELLEGENT
CULTURE leading to
integrated and
coordinated risk
identification and
management
Provide OBJECTIVE
ASSURANCE that
the risk
management
process is working
effectively
Provide RISK
FINANCING, including
commercial and self
insurance for funding
risk
Provide LOSS
CONTROL and
PREVENTION
6
ERM at the University of Illinois Office of ERM established November 2009
Process is based on facilitation
• The risk owners are better positioned to manage the risk
• Process adds value by providing support and a holistic perspective
Enterprise-wide risk assessment every two years
• Raise risk consciousness
• Identify and review significant risks
• Promote mitigation strategies
7
Executive Risk Management Committee
ERM Process
Risk Assessment Council
Administrative Reporting
Process Effectiveness & Consulting
Strategic Risk Information
Business & Finance Academic Affairs
External Relations
Medical
Governance & Org
Student Affairs
Compliance
Research
Human Resources
Treasury
Information Tech.
Risk Centers
Risk Data
University of Illinois Board of Trustees
President
Vice President / Chief Financial Officer
Office of Enterprise Risk Management
Sr. Assoc. VP - OBFS
Exec. Director of University
Audits
Exec. Director University Risk Mgmt.
8
Strategic Risk Centers
Risk Centers provide a nexus for related risks, promote efficient
management of risks and encourage a focus on risks that impact a
particular area
Risk Center Leaders oversee the assessment of risks within their
respective Risk Centers and look for risk relationships with other Risk
Centers
Risk Owners have responsibility for specific risks, are subject matter
experts and are positioned to influence the organization regarding the risk
Risks Without Owners are defined as “Institutional” and should be
mitigated at the enterprise level
9
Accountability For Risk
10
ERM Basic Process
?
IDENTIFY OBJECTIVES
IDENTIFY RISK
SPECIFY RISK TOLERANCE LEVEL
MEASURE INDIVIDUAL RISK
REDUCE RISK
CONTROL AND MONITOR
EXCEEDS TOLERANCE
WITHIN TOLERANCE
REPORT TO RISK ASSESSMENT COUNCIL ? EXCEEDS TOLERANCE WITHIN TOLERANCE
11
LIKELIHOOD
Score Definition
5 Almost certain; expected to occur
4 Likely; probably will occur
3 Possible; might occur at some time
2 Unlikely; could occur at some time
1 Rare; may occur
IMPACT
Score Definition
(Financial / Non-Financial)
5 Greater than $50 million
Extreme reputational impact
4 $25 million to $50 million
High reputational impact
3
$5 million to $25 million
Medium to low reputational impact
2 $100,000 to $5 million
Low to no reputational impact
1 Less than $100,000
No reputational impact
(Impact and Likelihood reflect existing controls)
Or
Or
Or
Or
Or
$50 million Scale
Risk Score * Consequences Immediate Actions
Very High Risk (21-25)
Extreme financial loss; extreme reputational impact
Requires essential and immediate allocation and organization of resources to manage/mitigate the risk; establish plans and countermeasures.
High Risk (16-20)
High financial loss; high reputational impact
Requires priority allocation of resources for management and/or mitigation; establish plans and countermeasures.
Moderate Risk (11-15)
Moderate financial loss; medium to low reputational impact
Allocation of resources for study is desirable; risk should be monitored for increases in impact or likelihood.
Low Risk (6-10)
Low financial loss; low to no reputational impact Generally does not require action, but should be reviewed periodically.
Very Low Risk (1-5)
Negligible financial loss; no reputational impact No action required. 12
* Risk Score = Impact (1 to 5) x Likelihood (1 to 5)
13
Dashboard - Screening Risks for materiality based on the Risk Score
Impact – Reputational and/or Financial
Like
lihoo
d
Very Low Low Moderate High Very High
Major Initiatives
Risk Culture Survey
Risk Appetite Statements and Tolerance Guidelines
ERM Information System (ERMIS)
Risk Committees
Response Framework
Unit Level ERM Process 14
Risk Culture Risk culture was raised persistently as an issue during the course of both
enterprise-wide risk assessments. Comments offered include:
• “…consistently reluctant to any risk taking”
• “…unwilling to find solutions that accept some level of reasonable risk”
• “…unclear how much risk is acceptable”
• “…no consideration of risk versus reward in many areas”
Risk Culture describes how stakeholders confront and respond to risk
and uncertainty
15
Risk culture can be defined as the norms and traditions of behavior of
individuals and of groups within an organization that determine the way
in which they identify, understand, discuss and act on the risks the
organization confronts and takes.1
Benefits of a progressive risk culture
• Enhanced decision-making where uncertainty exists
• Stronger ability to adapt to a changing environment
• Improved recognition of diverse risk factors
• Better ability to react to unexpected crises
16
1Report Reform in the Financial Services Industry: Strengthening Practices for a More Stable System, Institute of International Finance, 2009.
Risk Appetite Statements and Tolerance Guidelines (example only)
17
Risk Appetite Category Low Tolerance Moderate Tolerance High Tolerance
Instructional Mission
Research Mission
Public Service Mission
Economic Development Mission
Safety Issues
Compliance with Laws & Regulations
Productivity & Creativity
Financial Reward
Reputation
Relative Risk Appetite by Category
Category 1
Category 2
Category 3
Category 4
Category 5
Category 6
Category 7
Category 8
Category 9
ERM Information System (ERMIS)
Assists with embedding the ownership, management, review and
reporting of risk to all stakeholders
Manages risks in a structured way
Reports across the enterprise
18
Risk Committees
19
Leverage expertise and leadership across the enterprise
Integrate ERM within the governance and management processes
Link critical risks with related planning activities
Working with the President’s office on a proposed structure
Ample involvement by campuses
Information & Response Framework
20
Evaluation Discovery Communication
Information Phase
Goal
s
Risk
Driv
ers
Risk Appetite Risk Tolerance
Budget Impacts
Response Phase
Activity Impacts
Critical Risk Reviews
Board of Trustees
Favored Response Strategies
Risk Owners Leadership
Monitor / Report
Unit Level ERM Process
21
Strategic Risks
• Impact Range <$100,000 to >$50 million • Stakeholder Focus – Global (University Wide & Campus) • Process – List your goals, identify & evaluate barriers, and
develop plan B
Unit Level Risks
• Impact Range <$25,000 to >$5 million • Stakeholder Focus – Unit • Process – List your goals, identify & evaluate barriers, and
develop plan B
What ERM Is What ERM Is Not
Strategic risk support
A portfolio approach to managing risks
that may span multiple University units
Value-adding to an organization’s goals
and objectives
A lean process designed to manage risk
without adding new costs
The “risk police”
Intrusive into an organization’s
operations
Burdensome
Data driven
Costly to implement and maintain
Insurance, safety or loss control
22
23
ERM at the University of Illinois is a partnering process designed to:
Identify material risks by fostering a risk dialogue with all University
stakeholders
Raise awareness of risk and uncertainty in all of our activities
Recognize risks that cross boundaries within the decentralized
structure
Provide support to manage risks
Questions?
Joda Morton Associate Director of Enterprise Risk Management [email protected] 217-244-7480 ------------------------------------------------------------------------ Dan Mortland Assistant Vice President for Enterprise Services [email protected] 217-244-7483
24
26
Acad
emic
Affa
irs
Busi
ness
& F
inan
ce
Com
plia
nce
Ex
tern
al R
elat
ions
Gov
erna
nce
& O
rgan
izat
iona
l
Hum
an R
esou
rces
Info
rmat
ion
Tech
nolo
gy
Med
ical
Rese
arch
Stud
ent
Affa
irs
Trea
sury
Urb
ana
- Ch
ampa
ign
Chic
ago
Sprin
gfie
ld
Uni
vers
ity W
ide
Internal Environment & Objective Setting
Risk Identification
Risk Response & Control Activities
Communication & Monitoring
Risk Assessment
Based on the widely employed framework developed by the Committee Of Sponsoring Organizations of the Treadway Commission (COSO)
Modified to incorporate the unique environment at the University of Illinois
Defines essential components, suggests a common language and provides clear direction and guidance for risk management
COSO
Process Organizational Impact
Risk Centers
Executive Perspectives on 2014 Top Risks2
1. Regulatory changes & heightened regulatory scrutiny 2. Economic conditions 3. Uncertainty surrounding political leadership 4. Succession, recruiting and retention challenges 5. Organic growth 6. Cyber threats 7. Organizational resistance to change 8. Privacy/identity management & information security 9. Anticipated volatility in global financial markets 10. Healthcare reform compliance costs
27
2North Carolina State University's ERM Initiative survey of board members and executives, seeking their views about the most pressing risks for their organizations in 2014
28
LIKELIHOOD
Score Definition
5 Almost certain; expected to occur
4 Likely; probably will occur
3 Possible; might occur at some time
2 Unlikely; could occur at some time
1 Rare; may occur
IMPACT
Score Definition
(Financial / Non-Financial)
5 Greater than $1 million
Extreme reputational impact
4 $0.5 million to $1 million
High reputational impact
3
$0.1 million to $0.5 million
Medium to low reputational impact
2 $5,000 to $0.1 million
Low to no reputational impact
1 Less than $5,000
No reputational impact
(Impact and Likelihood reflect existing controls)
Or
Or
Or
Or
Or
Alternative Impact Scale - $1 million Scale